vswitch: Disable header-caching when IPsec is enabled

[openvswitch] / lib / netdev-tunnel.c

diff --git a/lib/netdev-tunnel.c b/lib/netdev-tunnel.c
index fdc1d976a4fc493bd673dafcdc6c6bade0bc8751..079830e63372ee45f47bdbf13da4c603f08b252d 100644 (file)
--- a/lib/netdev-tunnel.c
+++ b/lib/netdev-tunnel.c
@@ -62,6 +62,8 @@ parse_config(const char *name, const char *type, const struct shash *args,
              struct tnl_port_config *config)
 {
     struct shash_node *node;
+    bool ipsec_ip_set = false;
+    bool ipsec_mech_set = false;
 
     memset(config, 0, sizeof *config);
 
@@ -126,11 +128,24 @@ parse_config(const char *name, const char *type, const struct shash *args,
             if (!strcmp(node->data, "false")) {
                 config->flags &= ~TNL_F_HDR_CACHE;
             }
+        } else if (!strcmp(node->name, "ipsec_local_ip")) {
+            ipsec_ip_set = true;
+        } else if (!strcmp(node->name, "ipsec_cert")
+                   || !strcmp(node->name, "ipsec_psk")) {
+            ipsec_mech_set = true;
         } else {
             VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name);
         }
     }
 
+    /* IPsec doesn't work when header caching is enabled.  Disable it if
+     * the IPsec local IP address and authentication mechanism have been
+     * defined. */
+    if (ipsec_ip_set && ipsec_mech_set) {
+        VLOG_INFO("%s: header caching disabled due to use of IPsec", name);
+        config->flags &= ~TNL_F_HDR_CACHE;
+    }
+
     if (!config->daddr) {
         VLOG_WARN("%s: %s type requires valid 'remote_ip' argument", name, type);
         return EINVAL;